1. What is the difference when I logon the EDB Portal at EDB Office?
Ans: If you access EDB
Portal at EDB Offices, it will automatically launch the EDB Portal Home Page
via https://portal.edb.gov.hk if you have already logon Windows Domain. In
other words, no further logon is required.
You will have the same experience when you logon the EDB Portal via FortiClient VPN.
2. How can I logout the EDB Portal securely?
Ans: You have to click
the sign-out option at the top right corner of EDB Portal Home. Remember to
close all the browser windows after your successful logout.
Since it will automatically logon again via Windows Domain Logon, please be reminded to lock your screen if your workstation is temporary unattended. Remember to sign-out your Windows when you leave your workstation for a prolonged period of time.
3. I have logon Windows Domain at EDB office. Why does it still prompt me to logon when I try to access?
Ans: By default, you
can automatically logon EDB Portal via your domain username and password.
However, if a logon box is prompted, please verify the following setting on
your Internet options from the control panel. Highlight Local Intranet and
click the Custom Level, then ensure that the "Automatic logon only in
Intranet zone" is selected.
4. How can I logon the EDB Portal on behalf of other accounts, for example: logon with my team account instead of my domain account?
Ans: By default, you
will logon EDB Portal on behalf of your domain account. If you would like to
logon on behalf of other account, you have to enable your browser to prompt the
logon box as follow:
Go to the Internet options from the control panel. Highlight Local Intranet and click the Custom Level, then select that the "Prompt for user name and password".
Then a logon box will prompt for your next logon, you can logon on behalf of other account.
5. Can I use other browsers such as Firefox to logon EDB Portal at EDB Office?
Ans: It supports
popular browsers including Chrome, Internet Explorer, Microsoft Edge etc.
However, to maintain the SSO experience at EDB Office, Firefox is required to
apply the settings with the following steps.
i. Start Firefox and in the address bar, type about:config.
ii. At the prompt that warns to proceed with caution, agree to continue.
iii. Search for each setting in the following table and provide the value
indicated.
Note: These steps are not required if you access EDB Portal via VPN.
Setting |
Value |
network.negotiate-auth.delegation-uris |
auth-sts.edb.gov.hk |
network.automatic-ntlm-auth.trusted-uris |
auth-sts.edb.gov.hk |
network.automatic-ntlm-auth.allow-proxies |
True |
network.negotiate-auth.allow-proxies |
True |
6. What is the difference when I logon the EDB Portal via Internet?
Ans: If you access EDB
Portal via Internet, you must logon the VPN first. You can simply access via https://portal.edb.gov.hk, and it will
redirect to VPN logon page. You have to pass the 2 factors authentication.
Use your DEFAULT
BROWSER to logon EDB Portal.
Please remember to logout both EDB Portal & VPN at top right corner of Sign Out option stated in Question 2.
Note: FortiClient VPN users have the same user experience as at EDB office and do NOT require VPN access.
7. What should I do before I can logon the DP applications via Internet?
Ans: Your workstation
or notebook must have the following pre-requisite before you can connect to the
VPN:
i. Install the VPN client software ii. Install the Government Departmental Portal Certificate
To ease your installation effort on Windows, you can simply download, unzip and run the VPN packaging software to accomplish all the required tasks.
For download software package: https://intranetsup.edb.gov.hk/irooms/help/edbvpn_setup_v3.zip
For details, please refer to the installation guideline as below: https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_VPN_Access.pdf
Note: You must
install the VPN client by the VPN Packaging Software
8. How do I logout the EDB Portal when connected with VPN?
Ans: Same as at EDB
Office, you must click the sign-out option at the top right corner of EDB
Portal Home. Remember to close all the browser windows after your successful
logout.
9. Which applications on EDB Portal require to connect VPN for access?
Ans: You must logon VPN
first before you access any EDB Portal applications via Internet (https://portal.edb.gov.hk). In other
words, all portal resources, except school mail systems, require VPN to access
via Internet.
10. Which version of Windows and Web browser support with the VPN?
Ans: Below is the
support version of Windows & Web browser for your reference.
Operating System |
Browser Version |
Windows 8.1 Windows 10 |
Internet
Explorer 11 |
Microsoft
Edge |
|
Chrome
70 or later |
|
Firefox
73 or later |
For Windows 10 1803 in particular, KB4103721 is required for VPN to work properly.
For details: https://support.microsoft.com/en-us/help/4103721/windows-10-update-kb4103721
Please ensure that the latest patch has been applied on your Windows.
11. Does it support EDB Portal with Mac OS?
Ans: Yes, it supports
with Mac OS to access EDB Portal. You need to logon VPN before we can access
any EDB resources. You are required to install both VPN clients & DP
certificate on your MAC for VPN connection. Please refer to the installation
guideline for details. https://intranetsup.edb.gov.hk/irooms/help/VPN_mac.pdf
12. Any additional steps should I do if I use Firefox to logon EDB Portal via VPN?
Ans: Yes, since our VPN
packaging software will install the DP certificate into windows certificate
store, Firefox would read its own certificate store instead. In other words, it
is required to install the certificate manually by yourself:
i. Go to VPN portal: https://intranetsup.edb.gov.hk/irooms/help/vpnforportal.html
ii. Right click 2. RootCA Certificate and choose
“save as” to download the certificate.
iii.Open Firefox, go to
Options, Security & Privacy
iv. Go to Certificate Section, click view Certificate
v. Then click import, check the box: “Trust this CA to identify websites.” and
click OK. The CA certificate will be imported successfully.
13. How can I change my password via Internet?
Ans: You can change
your password by clicking the option at the top right corner of EDB Portal
Home.
14. Can I use mobile to access EDB Portal?
Ans: Again, you can
access EDB Portal via VPN. Mobile app is required to install on your mobile for
VPN access. Mobile app has version for both iOS and Android. Please refer to
the installation guideline for details.
15. Does VPN software have any incompatibility issues with other software?
Ans: It is reported
that your workstation may fail to connect the VPN if your workstation is
installed with some endpoint protection software such as Kaspersky 10 SP1
MR3. However, the problem is resolved after it is upgraded it to Kaspersky 10 SP2
MR3.
16. Why do I fail to logon Departmental Portal applications such as ePayroll/eLeaeve although I have successfully logon the VPN?
Ans: It is probably
your workstation failed to install the certificate. You may verify whether the
DP certificate is installed properly on your workstation highlighted in blue as
below.
1.
Click Start, type certmgr.msc in the search field
2. Check whether the certificate "Root CA 256" exists
Such problem could be avoided if you deploy your VPN client via the packaging software. In such case, you are required to uninstall the VPN software (Please refer to Q18 for details) and then install back the VPN via our VPN package.
17. Why do my e-Leave just popup and disappear when I click the link via EDB Portal?
Ans: e-Leave may be
blocked by the popup blocker of browser. It is required to configure your
browser under the following steps to enable e-Leave access:
1. Click the settings from the Google Chrome menu (Icon with the three dots in the upper right corner)
2.
Select Privacy and Security at the left panel
3. Click the Site Settings button.
4. Select Pop-ups and redirects.
5. To enable pop-ups on specific sites, check Blocked (recommended) Click Add next to Allow and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg
6. If it doesn’t work, you may try to disable the pop-up blocker uncheck the Blocked box circled in blue.
1.
Click the settings from the New Edge menu (Icon with the three dots in the
upper right corner)
2. Select Site Permissions at the left panel.
3. Select Pop-ups and redirects.
4. Move the Block toggle to On. Click Add and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg
1. Click the tools menu from top right corner and select Internet Options.
2.
Select the Privacy tab.
3. Click Setting for the Pop-up Blocker.
4. Type https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg to the allowed web site & click Add then Close.
1.
Open Firefox browser. Click the Tools menu (the icon of three horizontal
lines in the top right of the browser window). Select Options.
2. Select the Privacy and Security Panel.
3. Under the Permission Section, click the Exceptions at the Block pop-up
windows.
4. Add https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg as the allowed web sites and save changes.
18. How can I remove VPN client from my workstation?
Ans: Go to Control
Panel -> Program and Features. There you can remove your VPN by removing the
program “BIG-IP Edge Client Components (All Users)” circled in red as below.
19. When I try to connect the VPN, the following screen is prompted. What should I do?
Ans: No panic. The
browser session may not terminate properly during the last logon. Please click
“here” and you can logon the VPN again.
20. Why do my VPN disconnect automatically and how can I fix it?
Ans: There may be
several possibilities, such as incompatibility of OS (Q.11) or software (Q.15)
with VPN clients. Another possibility is that the VPN adapters of Windows are
corrupted. It occasionally happens on the Windows 10 version prior to 1903,
such as 1803, 1809, etc. You can fix this by the following steps:
i. Run “devmgmt.msc” and click “OK”
ii. Device Manager will prompt. Under Network Adapters, uninstall all adapters starting with “WAN Miniport” by right click and select uninstall
iii. Once the uninstall is complete, go to the menu bar and select “Scan for Hardware Changes” under “Action”. Those adapters will reinstall automatically without restarting your PC.
21. Will all traffic be redirected to the EDB network after the VPN is connected?
Ans: No. Split
tunnelling is deployed for our VPN solution. In other words, only traffic which
access EDB DP & CCGO resources will be redirected to the EDB network via
VPN. User can still browse internet or access any resources on your own network
even when the VPN is connected.
22. What is the password requirement of EDB Portal?
Ans: Use passwords with
at least 8 characters composed of ALL of the following
categories:
The last 8 passwords must not be re-used.
23. Why do I fail to launch e-Payroll/e-Leave, even I have successfully connected via my VPN app on Android?
Ans: For Android 9 or
newer, you are required to turn off Private DNS by go to the network settings
-> Connections -> Private DNS and turn it off.
24. How do I register two factor authentication?
Ans: It is simple to
register two factor authentication by going to VPN Portal
and click "register 2FA now" under the 2FA Registration Section.
Please refer to the guideline for
details.
You are required to logon your school mail system to get your QR code for importing the second authentication factor.
25. What should I do if I switch to a new mobile?
Ans: When you switch to
a new mobile, you can simply re-scan the QR code that you have previously
received to set up the one-time password on your new mobile. If you need us to
resend the QR code, click “Resend QR code (for registered only)”. Bring up your
old mobile to pass the two factor authentication and
then email with your QR code will be sent to you immediately.
26. Can I register my one-time password for more than one mobile?
Ans: Yes, you can.
There is no restriction to setup one-time password on multiple mobile devices.
27. What should I do if I have lost my mobile?
Ans: If you have lost
your mobile, you have to report to Help Desk first and will delete your
previous registration. Then you can regenerate a new QR code by clicking
“Register 2FA” for your new mobile.
28. How can I enable 2FA on my mobile VPN app?
Ans: You are required
to modify the path: vpn.edb.gov.hk/2fa and enable the web logon on the app
circled in red. Please refer to the installation guideline for details.
https://intranetsup.edb.gov.hk/irooms/help/VPN_mobile.pdf
29. Are there any privacy concerns to install the Microsoft Authenticator on a mobile?
Ans: Microsoft
Authenticator is a two-factor authentication program installed on your mobile.
It solely helps you to secure your VPN account by using the industry standard
time-based One Time Password (OTP). As a matter of fact, other apps such as
Google Authenticator, etc. can also be used to serve the same purpose.
Microsoft Authenticator app collects three types of information:
• Account info that you provide when you add your
account. This data can be removed by removing your account.
• Diagnostic log data that stays only in the app until you use Send feedback
in the app's top menu to send logs to Microsoft. These logs can contain
personal data such as email addresses, server addresses, or IP addresses. They
also can contain device data such as device name and operating system version.
Any personal data collected is limited to info needed to help troubleshoot app
issues. You can browse these log files in the app at any time to see the info
being gathered. If you send your log files, Authentication app engineers will
use them only to troubleshoot customer-reported issues. If you do not send
any log files, the data will not leave your device.
• Non-personally identifiable usage data, such
"started add account flow/successfully added account," or
"notification approved." This data is an integral part of our
engineering decisions. Your usage helps the vendor to determine where they can
improve the apps. You see a notification of this data collection when you use
the app for the first time. It informs you that it can be turned off on the
app's Settings page. You can turn this setting on or off at any time.
Please refer to the following link for further details:
Questions
& answers about Microsoft Authenticator app - Azure AD | Microsoft Docs
30. Is there any option other than installing the authenticator app on a mobile device?
Ans: As an alternative,
you can install a Chrome browser extension by following the user guide.
However, it is most common to use a mobile phone with an Authenticator App for
2-factor authentication because it is more convenient and easier to use.
https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_Authenticator_as_Browser_extension.pdf
31. Is the Authenticator extension safe to use?
Ans: The Authenticator
Chrome extension does not require any extra permissions. It does not have the
capability to access other files on the computer. It only generates a 6-digit one-time
password using a standard time-based algorithm and the key in the QR code.
32. Why do I keep failure to logon with my one-time password?
Ans: Sometimes, Android
mobile encounter out sync of time and will causes your one-time password out of
sync with the server. You are required to re-sync your system time again by
going to Settings -> System & Devices -> Date and Time -> Use
Network Provided Time, then toggle off and on the button.
Note: Different Android version may have a bit different way to reset your time sync.
33. Why do I keep on looping to the VPN redirection page (a page with 3 seconds count down) even I have successfullyl logon VPN?
Ans: Some workstations
may fail to redirect the EDB Portal Home Page when they have installed NOD32
ESET client software. Further configuration is required to whitelist our VPN.
Please follow the guideline below.
https://intranetsup.edb.gov.hk/irooms/help/ESET_Endpoint_Security_Whitelist.pdf
34. What should I do if a script error is prompted while attempting to connect VPN?
Ans: Whenever you
encounter this error, click Yes and then press Cltr
& F5 together. Your browser will refresh and the problem will be probably
gone.
35. For other enquiry, please contact Help Desk at 3540-7305.